Warning: Permanently added '10.128.1.46' (ECDSA) to the list of known hosts. [ 41.758236] random: sshd: uninitialized urandom read (32 bytes read) [ 41.869157] audit: type=1400 audit(1571638722.976:36): avc: denied { map } for pid=6947 comm="syz-executor514" path="/root/syz-executor514680174" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.100921] IPVS: ftp: loaded support on port[0] = 21 [ 42.958486] chnl_net:caif_netlink_parms(): no params data found [ 42.986801] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.993570] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.001151] device bridge_slave_0 entered promiscuous mode [ 43.008030] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.014464] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.021621] device bridge_slave_1 entered promiscuous mode [ 43.035219] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 43.043959] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 43.058776] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 43.066189] team0: Port device team_slave_0 added [ 43.071645] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 43.078595] team0: Port device team_slave_1 added [ 43.083962] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 43.091544] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 43.143282] device hsr_slave_0 entered promiscuous mode [ 43.180383] device hsr_slave_1 entered promiscuous mode [ 43.220665] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 43.227537] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 43.239870] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.246303] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.253285] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.259627] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.284851] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.291094] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.299556] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.307955] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.326150] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.333285] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.342900] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 43.349052] 8021q: adding VLAN 0 to HW filter on device team0 [ 43.357243] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.365078] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.371449] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.391265] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.398848] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.405232] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.412401] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 43.419874] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 43.427430] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.434737] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 43.442886] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 43.450823] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 43.456806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 43.468628] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 43.477878] 8021q: adding VLAN 0 to HW filter on device batadv0 executing program [ 43.570426] protocol 88fb is buggy, dev hsr_slave_0 [ 43.575635] protocol 88fb is buggy, dev hsr_slave_1 [ 43.631027] ================================================================== [ 43.638583] BUG: KASAN: slab-out-of-bounds in tcf_exts_destroy+0x2a3/0x320 [ 43.645576] Read of size 4 at addr ffff888096b8eeb4 by task syz-executor514/6959 [ 43.653100] [ 43.654708] CPU: 0 PID: 6959 Comm: syz-executor514 Not tainted 4.14.150 #0 [ 43.661698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.671047] Call Trace: [ 43.673620] dump_stack+0x138/0x197 [ 43.677224] ? tcf_exts_destroy+0x2a3/0x320 [ 43.681522] print_address_description.cold+0x7c/0x1dc [ 43.686774] ? tcf_exts_destroy+0x2a3/0x320 [ 43.691076] kasan_report.cold+0xa9/0x2af [ 43.695209] __asan_report_load4_noabort+0x14/0x20 [ 43.700118] tcf_exts_destroy+0x2a3/0x320 [ 43.704242] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.709670] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.714663] ? tcf_exts_get_dev+0x3e0/0x3e0 [ 43.718966] tcindex_free_perfect_hash.isra.0+0x9f/0x120 [ 43.724397] tcindex_set_parms+0xece/0x1aa0 [ 43.728698] ? tcindex_alloc_perfect_hash+0x300/0x300 [ 43.733882] ? save_trace+0x290/0x290 [ 43.737677] ? nla_parse+0x186/0x240 [ 43.741392] tcindex_change+0x1cf/0x28d [ 43.745361] ? tcindex_set_parms+0x1aa0/0x1aa0 [ 43.749923] ? tcindex_lookup+0x92/0x310 [ 43.753962] ? tcindex_set_parms+0x1aa0/0x1aa0 [ 43.758523] tc_ctl_tfilter+0xff1/0x1aba [ 43.762577] ? tfilter_notify+0x240/0x240 [ 43.766712] ? mutex_trylock+0x1c0/0x1c0 [ 43.770758] ? save_trace+0x290/0x290 [ 43.774574] ? tfilter_notify+0x240/0x240 [ 43.778703] rtnetlink_rcv_msg+0x3eb/0xb70 [ 43.782918] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.787565] ? netlink_deliver_tap+0x93/0x8f0 [ 43.792039] netlink_rcv_skb+0x14f/0x3c0 [ 43.796097] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.800655] ? lock_downgrade+0x740/0x740 [ 43.804782] ? netlink_ack+0x9a0/0x9a0 [ 43.808659] ? netlink_deliver_tap+0xba/0x8f0 [ 43.813149] rtnetlink_rcv+0x1d/0x30 [ 43.816850] netlink_unicast+0x45d/0x640 [ 43.820889] ? netlink_attachskb+0x6a0/0x6a0 [ 43.825275] ? security_netlink_send+0x81/0xb0 [ 43.829837] netlink_sendmsg+0x7c4/0xc60 [ 43.833876] ? netlink_unicast+0x640/0x640 [ 43.838106] ? security_socket_sendmsg+0x89/0xb0 [ 43.842849] ? netlink_unicast+0x640/0x640 [ 43.847085] sock_sendmsg+0xce/0x110 [ 43.850776] ___sys_sendmsg+0x349/0x840 [ 43.854729] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 43.859464] ? __lock_acquire+0x5f7/0x4620 [ 43.863673] ? trace_hardirqs_on+0x10/0x10 [ 43.867882] ? __lock_acquire+0x5f7/0x4620 [ 43.872108] ? fs_reclaim_acquire+0x20/0x20 [ 43.876427] ? trace_hardirqs_on+0x10/0x10 [ 43.880647] ? check_preemption_disabled+0x3c/0x250 [ 43.885662] ? save_trace+0x290/0x290 [ 43.889452] ? selinux_file_alloc_security+0xb4/0x190 [ 43.894644] ? __fd_install+0x1fb/0x5f0 [ 43.898687] ? __fget_light+0x172/0x1f0 [ 43.902655] ? __fdget+0x1b/0x20 [ 43.906008] ? sockfd_lookup_light+0xb4/0x160 [ 43.910487] __sys_sendmmsg+0x152/0x3a0 [ 43.914451] ? SyS_sendmsg+0x50/0x50 [ 43.918155] ? errseq_sample+0x4d/0x60 [ 43.922062] ? sock_alloc_file+0x1c0/0x2f0 [ 43.926272] ? sock_poll+0x220/0x220 [ 43.929965] ? fd_install+0x4d/0x60 [ 43.933586] ? sock_map_fd+0x56/0x80 [ 43.937294] ? SyS_socket+0x103/0x170 [ 43.941104] ? security_file_ioctl+0x7d/0xb0 [ 43.945492] ? security_file_ioctl+0x89/0xb0 [ 43.949880] SyS_sendmmsg+0x35/0x60 [ 43.953491] ? __sys_sendmmsg+0x3a0/0x3a0 [ 43.957712] do_syscall_64+0x1e8/0x640 [ 43.961578] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.966402] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.971586] RIP: 0033:0x443299 [ 43.974755] RSP: 002b:00007ffde338f1e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 43.982438] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299 [ 43.989687] RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008 [ 43.996935] RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000 [ 44.004199] R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162 [ 44.011450] R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000 [ 44.018703] [ 44.020316] Allocated by task 6959: [ 44.024017] save_stack_trace+0x16/0x20 [ 44.027971] save_stack+0x45/0xd0 [ 44.031400] kasan_kmalloc+0xce/0xf0 [ 44.035091] __kmalloc+0x15d/0x7a0 [ 44.038607] tcindex_alloc_perfect_hash+0x54/0x300 [ 44.043524] tcindex_set_parms+0x3de/0x1aa0 [ 44.047912] tcindex_change+0x1cf/0x28d [ 44.051866] tc_ctl_tfilter+0xff1/0x1aba [ 44.055906] rtnetlink_rcv_msg+0x3eb/0xb70 [ 44.060130] netlink_rcv_skb+0x14f/0x3c0 [ 44.064178] rtnetlink_rcv+0x1d/0x30 [ 44.067882] netlink_unicast+0x45d/0x640 [ 44.071930] netlink_sendmsg+0x7c4/0xc60 [ 44.076054] sock_sendmsg+0xce/0x110 [ 44.079753] ___sys_sendmsg+0x349/0x840 [ 44.083793] __sys_sendmmsg+0x152/0x3a0 [ 44.087788] SyS_sendmmsg+0x35/0x60 [ 44.091399] do_syscall_64+0x1e8/0x640 [ 44.095267] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.100433] [ 44.102040] Freed by task 0: [ 44.105039] (stack is not available) [ 44.108752] [ 44.110370] The buggy address belongs to the object at ffff888096b8ee40 [ 44.110370] which belongs to the cache kmalloc-128 of size 128 [ 44.123028] The buggy address is located 116 bytes inside of [ 44.123028] 128-byte region [ffff888096b8ee40, ffff888096b8eec0) [ 44.134877] The buggy address belongs to the page: [ 44.139797] page:ffffea00025ae380 count:1 mapcount:0 mapping:ffff888096b8e000 index:0x0 [ 44.147943] flags: 0x1fffc0000000100(slab) [ 44.152172] raw: 01fffc0000000100 ffff888096b8e000 0000000000000000 0000000100000015 [ 44.160042] raw: ffffea0001ffa9e0 ffff8880aa801548 ffff8880aa800640 0000000000000000 [ 44.167903] page dumped because: kasan: bad access detected [ 44.173591] [ 44.175218] Memory state around the buggy address: [ 44.180153] ffff888096b8ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.187490] ffff888096b8ee00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 44.194828] >ffff888096b8ee80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 44.202170] ^ [ 44.207087] ffff888096b8ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.214423] ffff888096b8ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.221755] ================================================================== [ 44.229092] Disabling lock debugging due to kernel taint [ 44.234674] protocol 88fb is buggy, dev hsr_slave_0 [ 44.239729] protocol 88fb is buggy, dev hsr_slave_1 [ 44.246004] Kernel panic - not syncing: panic_on_warn set ... [ 44.246004] [ 44.253479] CPU: 0 PID: 6959 Comm: syz-executor514 Tainted: G B 4.14.150 #0 [ 44.261687] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.271022] Call Trace: [ 44.273767] dump_stack+0x138/0x197 [ 44.277371] ? tcf_exts_destroy+0x2a3/0x320 [ 44.281679] panic+0x1f9/0x42d [ 44.284857] ? add_taint.cold+0x16/0x16 [ 44.288816] ? ___preempt_schedule+0x16/0x18 [ 44.293208] kasan_end_report+0x47/0x4f [ 44.297164] kasan_report.cold+0x130/0x2af [ 44.301393] __asan_report_load4_noabort+0x14/0x20 [ 44.306299] tcf_exts_destroy+0x2a3/0x320 [ 44.310427] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 44.315853] ? rcu_read_lock_sched_held+0x110/0x130 [ 44.320846] ? tcf_exts_get_dev+0x3e0/0x3e0 [ 44.325146] tcindex_free_perfect_hash.isra.0+0x9f/0x120 [ 44.330572] tcindex_set_parms+0xece/0x1aa0 [ 44.334875] ? tcindex_alloc_perfect_hash+0x300/0x300 [ 44.340046] ? save_trace+0x290/0x290 [ 44.343831] ? nla_parse+0x186/0x240 [ 44.347529] tcindex_change+0x1cf/0x28d [ 44.351478] ? tcindex_set_parms+0x1aa0/0x1aa0 [ 44.356047] ? tcindex_lookup+0x92/0x310 [ 44.360098] ? tcindex_set_parms+0x1aa0/0x1aa0 [ 44.364673] tc_ctl_tfilter+0xff1/0x1aba [ 44.368729] ? tfilter_notify+0x240/0x240 [ 44.372864] ? mutex_trylock+0x1c0/0x1c0 [ 44.376903] ? save_trace+0x290/0x290 [ 44.380683] ? tfilter_notify+0x240/0x240 [ 44.384806] rtnetlink_rcv_msg+0x3eb/0xb70 [ 44.389020] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.393579] ? netlink_deliver_tap+0x93/0x8f0 [ 44.398062] netlink_rcv_skb+0x14f/0x3c0 [ 44.402104] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.406662] ? lock_downgrade+0x740/0x740 [ 44.410783] ? netlink_ack+0x9a0/0x9a0 [ 44.414676] ? netlink_deliver_tap+0xba/0x8f0 [ 44.419147] rtnetlink_rcv+0x1d/0x30 [ 44.422835] netlink_unicast+0x45d/0x640 [ 44.426871] ? netlink_attachskb+0x6a0/0x6a0 [ 44.431260] ? security_netlink_send+0x81/0xb0 [ 44.435818] netlink_sendmsg+0x7c4/0xc60 [ 44.439854] ? netlink_unicast+0x640/0x640 [ 44.444066] ? security_socket_sendmsg+0x89/0xb0 [ 44.448794] ? netlink_unicast+0x640/0x640 [ 44.453003] sock_sendmsg+0xce/0x110 [ 44.456715] ___sys_sendmsg+0x349/0x840 [ 44.460676] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.465420] ? __lock_acquire+0x5f7/0x4620 [ 44.469631] ? trace_hardirqs_on+0x10/0x10 [ 44.473847] ? __lock_acquire+0x5f7/0x4620 [ 44.478068] ? fs_reclaim_acquire+0x20/0x20 [ 44.482365] ? trace_hardirqs_on+0x10/0x10 [ 44.486579] ? check_preemption_disabled+0x3c/0x250 [ 44.491588] ? save_trace+0x290/0x290 [ 44.495365] ? selinux_file_alloc_security+0xb4/0x190 [ 44.500532] ? __fd_install+0x1fb/0x5f0 [ 44.504481] ? __fget_light+0x172/0x1f0 [ 44.508430] ? __fdget+0x1b/0x20 [ 44.511795] ? sockfd_lookup_light+0xb4/0x160 [ 44.516266] __sys_sendmmsg+0x152/0x3a0 [ 44.520227] ? SyS_sendmsg+0x50/0x50 [ 44.523919] ? errseq_sample+0x4d/0x60 [ 44.527781] ? sock_alloc_file+0x1c0/0x2f0 [ 44.531988] ? sock_poll+0x220/0x220 [ 44.535678] ? fd_install+0x4d/0x60 [ 44.539292] ? sock_map_fd+0x56/0x80 [ 44.542979] ? SyS_socket+0x103/0x170 [ 44.546771] ? security_file_ioctl+0x7d/0xb0 [ 44.551155] ? security_file_ioctl+0x89/0xb0 [ 44.555549] SyS_sendmmsg+0x35/0x60 [ 44.559164] ? __sys_sendmmsg+0x3a0/0x3a0 [ 44.563291] do_syscall_64+0x1e8/0x640 [ 44.567165] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.571988] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.577152] RIP: 0033:0x443299 [ 44.580373] RSP: 002b:00007ffde338f1e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 44.588064] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299 [ 44.595314] RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008 [ 44.602568] RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000 [ 44.609850] R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162 [ 44.617103] R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000 [ 44.625617] Kernel Offset: disabled [ 44.629281] Rebooting in 86400 seconds..